資訊屏障原則的屬性Attributes for information barrier policies

Azure Active Directory 中的某些屬性可用於分割使用者。Certain attributes in Azure Active Directory can be used to segment users. 在定義區段之後,就可以使用這些區段做為資訊屏障原則的篩選器。Once segments are defined, those segments can be used as filters for information barrier policies. 例如,您可以使用 部門 在組織內依部門定義使用者的區段 (假設沒有任何人同時在兩個部門上運作) 。For example, you might use Department to define segments of users by department within your organization (assuming no single employee works for two departments at the same time).

本文說明如何使用具有資訊障礙的屬性,並提供可使用的屬性清單。This article describes how to use attributes with information barriers, and it provides a list of attributes that can be used. 若要深入瞭解資訊障礙,請參閱下列資源:To learn more about information barriers, see the following resources:

如何使用資訊屏障原則中的屬性How to use attributes in information barrier policies

本文所列的屬性可以用來定義或編輯使用者的區段。The attributes listed in this article can be used to define or edit segments of users. 資訊屏障原則中,已定義的區段做為參數 (稱為 UserGroupFilter 值) 。Your defined segments serve as parameters (called UserGroupFilter values) in information barrier policies.

  1. 決定要用來定義線段的屬性。Determine which attribute you want to use to define segments. (請參閱本文中的 參考 一節。 ) (See the Reference section in this article.)

  2. 請確定使用者帳戶已填入值,以供您在步驟1中選取的屬性 (s) 。Make sure the user accounts have values filled in for the attribute(s) you selected in Step 1. 查看使用者帳戶詳細資料,必要時,編輯使用者帳戶以包含屬性值。View user account details, and if necessary, edit user accounts to include attribute values.

  3. 使用 PowerShell 定義線段,類似下列範例:Define segments using PowerShell, similar to the following examples:

    範例Example 指令程式Cmdlet
    使用部門屬性定義名為 Segment1 的區段Define a segment called Segment1 using the Department attribute New-OrganizationSegment -Name "Segment1" -UserGroupFilter "Department -eq 'Department1'"
    使用 MemberOf 屬性定義名為 SegmentA 的區段 (假設此屬性包含群組名稱,例如 "BlueGroup" ) Define a segment called SegmentA using the MemberOf attribute (suppose this attribute contains group names, such as "BlueGroup") New-OrganizationSegment -Name "SegmentA" -UserGroupFilter "MemberOf -eq 'BlueGroup'"
    使用 ExtensionAttribute1 定義名為 DayTraders 的區段 (假設此屬性包含職稱,例如 "DayTrader" ) Define a segment called DayTraders using ExtensionAttribute1 (suppose this attribute contains job titles, such as "DayTrader") New-OrganizationSegment -Name "DayTraders" -UserGroupFilter "ExtensionAttribute1 -eq 'DayTrader'"

    提示

    當您定義區段時,請針對所有的區段使用相同的屬性。When you define segments, use the same attribute for all your segments. 例如,如果您使用 部門 定義部分區段,請使用 部門 定義所有的區段。For example, if you define some segments using Department, define all of the segments using Department. 不要使用 MemberOf 來定義某些區段使用 部門 和其他。Don't define some segments using Department and others using MemberOf. 請確定您的區段沒有交疊;每一位使用者都應該被指派為一個段落。Make sure your segments do not overlap; each user should be assigned to exactly one segment.

參考Reference

下表列出您可以與資訊障礙搭配使用的屬性。The following table lists the attributes that you can use with information barriers.

Azure Active Directory 屬性名稱
(LDAP 顯示名稱)
Azure Active Directory property name
(LDAP display name)
Exchange 屬性名稱Exchange property name
Co Co
CompanyCompany CompanyCompany
部門Department 部門Department
ExtensionAttribute1ExtensionAttribute1 CustomAttribute1CustomAttribute1
ExtensionAttribute2ExtensionAttribute2 CustomAttribute2CustomAttribute2
ExtensionAttribute3ExtensionAttribute3 CustomAttribute3CustomAttribute3
ExtensionAttribute4ExtensionAttribute4 CustomAttribute4CustomAttribute4
ExtensionAttribute5ExtensionAttribute5 CustomAttribute5CustomAttribute5
ExtensionAttribute6ExtensionAttribute6 CustomAttribute6CustomAttribute6
ExtensionAttribute7ExtensionAttribute7 CustomAttribute7CustomAttribute7
ExtensionAttribute8ExtensionAttribute8 CustomAttribute8CustomAttribute8
ExtensionAttribute9ExtensionAttribute9 CustomAttribute9CustomAttribute9
ExtensionAttribute10ExtensionAttribute10 CustomAttribute10CustomAttribute10
ExtensionAttribute11ExtensionAttribute11 CustomAttribute11CustomAttribute11
ExtensionAttribute12ExtensionAttribute12 CustomAttribute12CustomAttribute12
ExtensionAttribute13ExtensionAttribute13 CustomAttribute13CustomAttribute13
ExtensionAttribute14ExtensionAttribute14 CustomAttribute14CustomAttribute14
ExtensionAttribute15ExtensionAttribute15 CustomAttribute15CustomAttribute15
MSExchExtensionCustomAttribute1MSExchExtensionCustomAttribute1 ExtensionCustomAttribute1ExtensionCustomAttribute1
MSExchExtensionCustomAttribute2MSExchExtensionCustomAttribute2 ExtensionCustomAttribute2ExtensionCustomAttribute2
MSExchExtensionCustomAttribute3MSExchExtensionCustomAttribute3 ExtensionCustomAttribute3ExtensionCustomAttribute3
MSExchExtensionCustomAttribute4MSExchExtensionCustomAttribute4 ExtensionCustomAttribute4ExtensionCustomAttribute4
MSExchExtensionCustomAttribute5MSExchExtensionCustomAttribute5 ExtensionCustomAttribute5ExtensionCustomAttribute5
MailNicknameMailNickname 別名Alias
PhysicalDeliveryOfficeNamePhysicalDeliveryOfficeName 辦公室Office
PostalCodePostalCode PostalCodePostalCode
ProxyAddressesProxyAddresses EmailAddressesEmailAddresses
StreetAddressStreetAddress StreetAddressStreetAddress
TargetAddressTargetAddress ExternalEmailAddressExternalEmailAddress
UsageLocationUsageLocation UsageLocationUsageLocation
UserPrincipalNameUserPrincipalName UserPrincipalNameUserPrincipalName
郵件Mail WindowsEmailAddressWindowsEmailAddress
描述Description 描述Description
MemberOfMemberOf MemberOfGroupMemberOfGroup

資源Resources